- 11 Mar, 2020 1 commit
-
-
Madhukar Pappireddy authored
Necessary infrastructure added to integrate fconf framework in BL31 & SP_MIN. Created few populator() functions which parse HW_CONFIG device tree and registered them with fconf framework. Many of the changes are only applicable for fvp platform. This patch: 1. Adds necessary symbols and sections in BL31, SP_MIN linker script 2. Adds necessary memory map entry for translation in BL31, SP_MIN 3. Creates an abstraction layer for hardware configuration based on fconf framework 4. Adds necessary changes to build flow (makefiles) 5. Minimal callback to read hw_config dtb for capturing properties related to GIC(interrupt-controller node) 6. updates the fconf documentation Change-Id: Ib6292071f674ef093962b9e8ba0d322b7bf919af Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 06 Mar, 2020 3 commits
-
-
Sumit Garg authored
Following build flags have been added to support optional firmware encryption: - FW_ENC_STATUS: Top level firmware's encryption numeric flag, values: 0: Encryption is done with Secret Symmetric Key (SSK) which is common for a class of devices. 1: Encryption is done with Binding Secret Symmetric Key (BSSK) which is unique per device. - ENC_KEY: A 32-byte (256-bit) symmetric key in hex string format. It could be SSK or BSSK depending on FW_ENC_STATUS flag. - ENC_NONCE: A 12-byte (96-bit) encryption nonce or Initialization Vector (IV) in hex string format. - ENCRYPT_BL31: Binary flag to enable encryption of BL31 firmware. - ENCRYPT_BL32: Binary flag to enable encryption of Secure BL32 payload. Similar flags can be added to encrypt other firmwares as well depending on use-cases. Signed-off-by: Sumit Garg <sumit.garg@linaro.org> Change-Id: I94374d6830ad5908df557f63823e58383d8ad670
-
Sumit Garg authored
Add firmware authenticated encryption tool which utilizes OpenSSL library to encrypt firmwares using a key provided via cmdline. Currently this tool supports AES-GCM as an authenticated encryption algorithm. Signed-off-by: Sumit Garg <sumit.garg@linaro.org> Change-Id: I60e296af1b98f1912a19d5f91066be7ea85836e4
-
Sumit Garg authored
Add framework for autheticated decryption of data. Currently this patch optionally imports mbedtls library as a backend if build option "DECRYPTION_SUPPORT = aes_gcm" is set to perform authenticated decryption using AES-GCM algorithm. Signed-off-by: Sumit Garg <sumit.garg@linaro.org> Change-Id: I2966f0e79033151012bf4ffc66f484cd949e7271
-
- 03 Mar, 2020 1 commit
-
-
Max Shvetsov authored
Added SPMD_SPM_AT_SEL2 build command line parameter. Set to 1 to run SPM at S-EL2. Set to 0 to run SPM at S-EL1 (pre-v8.4 or S-EL2 is disabled). Removed runtime EL from SPM core manifest. Change-Id: Icb4f5ea4c800f266880db1d410d63fe27a1171c0 Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
-
- 02 Mar, 2020 1 commit
-
-
Max Shvetsov authored
NOTE: Not all EL-2 system registers are saved/restored. This subset includes registers recognized by ARMv8.0 Change-Id: I9993c7d78d8f5f8e72d1c6c8d6fd871283aa3ce0 Signed-off-by: Jose Marinho <jose.marinho@arm.com> Signed-off-by: Olivier Deprez <olivier.deprez@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Signed-off-by: Max Shvetsov <maksims.svecovs@arm.com>
-
- 24 Feb, 2020 1 commit
-
-
Petre-Ionut Tudor authored
This patch introduces a build flag which allows the xlat tables to be mapped in a read-only region within BL31 memory. It makes it much harder for someone who has acquired the ability to write to arbitrary secure memory addresses to gain control of the translation tables. The memory attributes of the descriptors describing the tables themselves are changed to read-only secure data. This change happens at the end of BL31 runtime setup. Until this point, the tables have read-write permissions. This gives a window of opportunity for changes to be made to the tables with the MMU on (e.g. reclaiming init code). No changes can be made to the tables with the MMU turned on from this point onwards. This change is also enabled for sp_min and tspd. To make all this possible, the base table was moved to .rodata. The penalty we pay is that now .rodata must be aligned to the size of the base table (512B alignment). Still, this is better than putting the base table with the higher level tables in the xlat_table section, as that would cost us a full 4KB page. Changing the tables from read-write to read-only cannot be done with the MMU on, as the break-before-make sequence would invalidate the descriptor which resolves the level 3 page table where that very descriptor is located. This would make the translation required for writing the changes impossible, generating an MMU fault. The caches are also flushed. Signed-off-by: Petre-Ionut Tudor <petre-ionut.tudor@arm.com> Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
-
- 20 Feb, 2020 1 commit
-
-
Manish Pandey authored
Till now TF-A allows limited number of external images to be made part of FIP. With SPM coming along, there may exist multiple SP packages which need to be inserted into FIP. To achieve this we need a more scalable approach to feed SP packages to FIP. This patch introduces changes in build system to generate and add SP packages into FIP based on information provided by platform. Platform provides information in form of JSON which contains layout description of available Secure Partitions. JSON parser script is invoked by build system early on and generates a makefile which updates FIP, SPTOOL and FDT arguments which will be used by build system later on for final packaging. "SP_LAYOUT_FILE" passed as a build argument and can be outside of TF-A tree. This option will be used only when SPD=spmd. For each SP, generated makefile will have following entries - FDT_SOURCES += sp1.dts - SPTOOL_ARGS += -i sp1.img:sp1.dtb -o sp1.pkg - FIP_ARGS += --blob uuid=XXXX-XXX...,file=SP1.pkg Signed-off-by: Manish Pandey <manish.pandey2@arm.com> Change-Id: Ib6a9c064400caa3cd825d9886008a3af67741af7
-
- 14 Feb, 2020 1 commit
-
-
Louis Mayencourt authored
This patch: - Add the __COHERENT_RAM_START__ and __COHERENT_RAM_END__ symbols. - Improve how the symbols are found with a regex. - Add a build option to revert the memory layout output. Change-Id: I54ec660261431bc98d78acb0f80e3d95bc5397ac Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 12 Feb, 2020 1 commit
-
-
Arve Hjønnevåg authored
If CC points to clang the linker was set to ld.lld. Copy the diectory name from CC is it has one. Change-Id: I50aef5dddee4d2540b12b6d4e68068ad004446f7 Signed-off-by: Arve Hjønnevåg <arve@android.com>
-
- 10 Feb, 2020 1 commit
-
-
Achin Gupta authored
This patch adds support to the build system to include support for the SPM dispatcher when the SPD configuration option is spmd. Signed-off-by: Achin Gupta <achin.gupta@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com> Change-Id: Ic1ae50ecd7403fcbcf1d318abdbd6ebdc642f732
-
- 07 Feb, 2020 1 commit
-
-
Louis Mayencourt authored
Use the firmware configuration framework to store the io_policies information inside the configuration device tree instead of the static structure in the code base. The io_policies required by BL1 can't be inside the dtb, as this one is loaded by BL1, and only available at BL2. This change currently only applies to FVP platform. Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 29 Jan, 2020 2 commits
-
-
Sandrine Bailleux authored
Allows to select the chain of trust to use when the Trusted Boot feature is enabled. This affects both the cert_create tool and the firmware itself. Right now, the only available CoT is TBBR. Change-Id: I7ab54e66508a1416cb3fcd3dfb0f055696763b3d Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
Madhukar Pappireddy authored
Command to build HTML-formatted pages from docs: make doc Change-Id: I4103c804b3564fe67d8fc5a3373679daabf3f2e9 Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
- 28 Jan, 2020 2 commits
-
-
Madhukar Pappireddy authored
This flag warns if anything is declared more than once in the same scope, even in cases where multiple declaration is valid and changes nothing. Consequently, this patch also fixes the issues reported by this flag. Consider the following two lines of code from two different source files(bl_common.h and bl31_plat_setup.c): IMPORT_SYM(uintptr_t, __RO_START__, BL_CODE_BASE); IMPORT_SYM(unsigned long, __RO_START__, BL2_RO_BASE); The IMPORT_SYM macro which actually imports a linker symbol as a C expression. The macro defines the __RO_START__ as an extern variable twice, one for each instance. __RO_START__ symbol is defined by the linker script to mark the start of the Read-Only area of the memory map. Essentially, the platform code redefines the linker symbol with a different (relevant) name rather than using the standard symbol. A simple solution to fix this issue in the platform code for redundant declarations warning is to remove the second IMPORT_SYM and replace it with following assignment static const unsigned long BL2_RO_BASE = BL_CODE_BASE; Change-Id: If4835d1ee462d52b75e5afd2a59b64828707c5aa Signed-off-by: Madhukar Pappireddy <madhukar.pappireddy@arm.com>
-
Alexei Fedorov authored
This patch adds 'calc_hash' function using Mbed TLS library required for Measured Boot support. Change-Id: Ifc5aee0162d04db58ec6391e0726a526f29a52bb Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
-
- 24 Jan, 2020 3 commits
-
-
Masahiro Yamada authored
This implementation simply mimics that of BL31. Change-Id: Ibbaa4ca012d38ac211c52b0b3e97449947160e07 Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
Masahiro Yamada authored
This implementation simply mimics that of BL31. I did not implement the ENABLE_PIE support for BL2_IN_XIP_MEM=1 case. It would make the linker script a bit uglier. Change-Id: If3215abd99f2758dfb232e44b50320d04eba808b Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
Masahiro Yamada authored
docs/getting_started/build-options.rst clearly says ENABLE_PIE is currently only supported in BL31, but in fact, it has a stronger limitation: Defining ENABLE_PIE may corrupt BL1 and BL2. So, ENABLE_PIE is supported only for platforms where BL31 is the only image built in the TF-A tree. Currently, ENABLE_PIE is enabled by two platforms, plat/arm/common/arm_common.mk and ti/k3/common/plat_common.mk, both of which enable ENABLE_PIE together with RESET_TO_BL31. For platforms with the full boot sequence, ENABLE_PIE may break earlier BL stages. For example, if I build PLAT=qemu with ENABLE_PIE=1, it fails in BL1. When ENABLE_PIE is enabled, PIE options are added to TF_CFLAGS and TF_LDFLAGS, so all BL images are affected. It is problematic because currently only the BL31 linker script handles it. Even if BL1/BL2 works, the image size would increase needlessly, at least. Pass the PIE options only to BL images that support it. Change-Id: I550e95148aa3c63571c8ad2081082c554a848f57 Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
-
- 17 Jan, 2020 1 commit
-
-
Ambroise Vincent authored
The LLVM linker replaces the GNU linker as default for the link on Clang builds. It is possible to override the default linker by setting the LD build flag. The patch also updates the TF-A doc. Change-Id: Ic08552b9994d4fa8f0d4863e67a2726c1dce2e35 Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com> Signed-off-by: Zelalem Aweke <zelalem.aweke@arm.com>
-
- 14 Jan, 2020 1 commit
-
-
Balint Dobszay authored
Using the /include/ syntax, the include was evaluated by dtc, only after running the preprocessor, therefore the .dtsi files were not preprocessed. This patch adds the #include syntax instead. Evaluating this and preprocessing the files now happens in a single step, done by the C preprocessor. Change-Id: I6d0104b6274316fc736e84973502a4d6c2c9d6e0 Signed-off-by: Balint Dobszay <balint.dobszay@arm.com>
-
- 29 Dec, 2019 1 commit
-
-
Samuel Holland authored
Some platforms are extremely memory constrained and must split BL31 between multiple non-contiguous areas in SRAM. Allow the NOBITS sections (.bss, stacks, page tables, and coherent memory) to be placed in a separate region of RAM from the loaded firmware image. Because the NOBITS region may be at a lower address than the rest of BL31, __RW_{START,END}__ and __BL31_{START,END}__ cannot include this region, or el3_entrypoint_common would attempt to invalidate the dcache for the entire address space. New symbols __NOBITS_{START,END}__ are added when SEPARATE_NOBITS_REGION is enabled, and the dcached for the NOBITS region is invalidated separately. Signed-off-by: Samuel Holland <samuel@sholland.org> Change-Id: Idedfec5e4dbee77e94f2fdd356e6ae6f4dc79d37
-
- 20 Dec, 2019 2 commits
-
-
Paul Beesley authored
The Secure Partition Manager (SPM) prototype implementation is being removed. This is preparatory work for putting in place a dispatcher component that, in turn, enables partition managers at S-EL2 / S-EL1. This patch removes: - The core service files (std_svc/spm) - The Resource Descriptor headers (include/services) - SPRT protocol support and service definitions - SPCI protocol support and service definitions Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426 Signed-off-by: Paul Beesley <paul.beesley@arm.com> Signed-off-by: Artsem Artsemenka <artsem.artsemenka@arm.com>
-
Paul Beesley authored
There are two different implementations of Secure Partition management in TF-A. One is based on the "Management Mode" (MM) design, the other is based on the Secure Partition Client Interface (SPCI) specification. Currently there is a dependency between their build flags that shouldn't exist, making further development harder than it should be. This patch removes that dependency, making the two flags function independently. Before: ENABLE_SPM=1 is required for using either implementation. By default, the SPCI-based implementation is enabled and this is overridden if SPM_MM=1. After: ENABLE_SPM=1 enables the SPCI-based implementation. SPM_MM=1 enables the MM-based implementation. The two build flags are mutually exclusive. Note that the name of the ENABLE_SPM flag remains a bit ambiguous - this will be improved in a subsequent patch. For this patch the intention was to leave the name as-is so that it is easier to track the changes that were made. Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a Signed-off-by: Paul Beesley <paul.beesley@arm.com>
-
- 17 Dec, 2019 1 commit
-
-
Olivier Deprez authored
The 9p interface provides abstraction layers allowing the software that uses devices to be independent from the hardware. This patch provides a file system abstraction to link drivers to their devices and propose a common interface to expose driver operations to higher layers. This file system can be used to access and configure a device by doing read/write operations. Signed-off-by: Ambroise Vincent <ambroise.vincent@arm.com> Signed-off-by: Olivier Deprez <olivier.deprez@arm.com> Change-Id: Ia9662393baf489855dc0c8f389fe4a0afbc9c255
-
- 16 Dec, 2019 1 commit
-
-
Justin Chadwell authored
-Wpadded warns whenever the C compiler automatically includes any padding in a structure. Because TF-A has a large number of structures, this occurs fairly frequently and is incredibly verbose, and as such is unlikely to ever be fixed. The utility of this warning is also extremely limited - knowing that a structure includes padding does not point to the existence of an error, and is probably quite unlikely to indicate actually buggy behaviour. Therefore, it's probably best to keep this warning off at all times. Change-Id: I0797cb75f06b4fea0d2fdc16fd5ad978a31d76ec Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 13 Dec, 2019 1 commit
-
-
Justin Chadwell authored
A function declaration declares the name of the function and the type of the parameter it returns. A function prototype is a function declaration that also specifies the type of the arguments of the function. Essentially, a function prototype helps the compiler ensure whether the function call matches the return type and the right number/type of arguments of function. A function prototype itself serves as a function declaration for new style functions. The warning flag -wmissing-prototype is good enough to check for missing function prototype and is exhaustive compared to -wmissing-declaration, therefore making the later redundant. Note that, at this point, these flags are part of WARNING1 which is not used for TF-A build by default. Several platforms use upstream libraries (such as zlib etc) which are in old style c code. After the TF-A build process is restructred using CMake framework, we plan to enable WARNING1, WARNING2 and WARNING3 incrementally as the new build platform can compile each BL binary of a particular platform with set of unique compilation flags. Change-Id: I9c6bf9da74e0840e4d2624bc12376e199953c213 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 04 Dec, 2019 1 commit
-
-
Samuel Holland authored
Currently, sections within .text/.rodata/.data/.bss are emitted in the order they are seen by the linker. This leads to wasted space, when a section with a larger alignment follows one with a smaller alignment. We can avoid this wasted space by sorting the sections. To take full advantage of this, we must disable generation of common symbols, so "common" data can be sorted along with the rest of .bss. An example of the improvement, from `make DEBUG=1 PLAT=sun50i_a64 bl31`: .text => no change .rodata => 16 bytes saved .data => 11 bytes saved .bss => 576 bytes saved As a side effect, the addition of `-fno-common` in TF_CFLAGS makes it easier to spot bugs in header files. Signed-off-by: Samuel Holland <samuel@sholland.org> Change-Id: I073630a9b0b84e7302a7a500d4bb4b547be01d51
-
- 03 Dec, 2019 1 commit
-
-
Justin Chadwell authored
-Wunused-const-variable=1 is already included by -Wunused-variable, which is part of -Wall. -Wunused-const-variable=2, which is what we have been using as part of W=1, warns for unused static const variables in headers, which will likely produce a lot of false positives that will take a large effort to fix. Additionally, some of these issues may be caused by different builds of TF-A where some features are used in some builds and ignored in others. Change-Id: Ifa0b16a75344cc1f6240e8d5745005f8f2046d34 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 02 Dec, 2019 1 commit
-
-
zelalem-aweke authored
This patch enables LTO for TF-A when compiled with GCC. LTO is disabled by default and is enabled by ENABLE_LTO=1 build option. LTO is enabled only for aarch64 as there seem to be a bug in the aarch32 compiler when LTO is enabled. The changes in the makefiles include: - Adding -flto and associated flags to enable LTO. - Using gcc as a wrapper at link time instead of ld. This is recommended when using LTO as gcc internally takes care of invoking the necessary plugins for LTO. - Adding switches to pass options to ld. - Adding a flag to disable fix for erratum cortex-a53-843419 unless explicitly enabled. This is needed because GCC seem to automatically add the erratum fix when used as a wrapper for LD. Additionally, this patch updates the TF-A user guide with the new build option. Signed-off-by: zelalem-aweke <zelalem.aweke@arm.com> Change-Id: I1188c11974da98434b7dc9344e058cd1eacf5468
-
- 25 Nov, 2019 1 commit
-
-
Louis Mayencourt authored
Create a new "memmap" target for the Makefile, which prints a representation of the memory map for the build. The information are extracted from the .map files by the "print_memory_map.py" tools. Change-Id: Id5ebc7ce8a3a571c7ac4848be14657cf2fd711f4 Signed-off-by: Louis Mayencourt <louis.mayencourt@arm.com>
-
- 19 Nov, 2019 4 commits
-
-
Justin Chadwell authored
-Wlogical-op prevents common errors with using numerical constants where a boolean one is expected as well as when the operands of a logical operator are the same. While these are perfectly valid behavior, they can be a sign that something is slightly off. This patch adds this warning to gcc and it's closest equivalent to clang, while also fixing any warnings that enabling them causes. Change-Id: Iabadfc1e6ee0c44eef6685a23b0aed8abef8ce89 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
Justin Chadwell authored
Variable shadowing is, according to the C standard, permitted and valid behaviour. However, allowing a local variable to take the same name as a global one can cause confusion and can make refactoring and bug hunting more difficult. This patch moves -Wshadow from WARNING2 into the general warning group so it is always used. It also fixes all warnings that this introduces by simply renaming the local variable to a new name Change-Id: I6b71bdce6580c6e58b5e0b41e4704ab0aa38576e Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
Justin Chadwell authored
Both -Wmissing-field-initializers and -Wsign-compare are both covered by -Wextra which is enabled at W=1 anyway. Therefore, the explicit options are not required. Change-Id: I2e7d95b5fc14af7c70895859a7ebbeac5bc0d2a4 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
Justin Chadwell authored
This patch keeps the same warnings, and simply reorders them to keep all the warning options together in one place. Change-Id: Ibb655dcabc84f3af01a0d7f71f5af7e0479c2521 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
- 15 Oct, 2019 1 commit
-
-
Deepika Bhavnani authored
Signed-off-by: Deepika Bhavnani <deepika.bhavnani@arm.com> Change-Id: Ia03701e2e37e3a00a501b144960a4a65aedbfde9
-
- 04 Oct, 2019 1 commit
-
-
Soby Mathew authored
Make the spinlock implementation use ARMv8.1-LSE CAS instruction based on a platform build option. The CAS-based implementation used to be unconditionally selected for all ARM8.1+ platforms. The previous CAS spinlock implementation had a bug wherein the spin_unlock() implementation had an `sev` after `stlr` which is not sufficient. A dsb is needed to ensure that the stlr completes prior to the sev. Having a dsb is heavyweight and a better solution would be to use load exclusive semantics to monitor the lock and wake up from wfe when a store happens to the lock. The patch implements the same. Change-Id: I5283ce4a889376e4cc01d1b9d09afa8229a2e522 Signed-off-by: Soby Mathew <soby.mathew@arm.com> Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
-
- 12 Sep, 2019 2 commits
-
-
Justin Chadwell authored
Previously, TF-A could not support large RSA key sizes as the configuration options passed to MBEDTLS prevented storing and performing calculations with the larger, higher-precision numbers required. With these changes to the arguments passed to MBEDTLS, TF-A now supports using 3072 (3K) and 4096 (4K) keys in certificates. Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-
Hadi Asyrafi authored
Some of the platform (ie. Agilex) make use of CCU IPs which will only be initialized during bl2_el3_early_platform_setup. Any operation to the cache beforehand will crash the platform. Hence, this will provide an option to skip the data cache invalidation upon bl2 entry at EL3 Signed-off-by: Hadi Asyrafi <muhammad.hadi.asyrafi.abdul.halim@intel.com> Change-Id: I2c924ed0589a72d0034714c31be8fe57237d1f06
-
- 11 Sep, 2019 1 commit
-
-
Justin Chadwell authored
This patch adds support for the Undefined Behaviour sanitizer. There are two types of support offered - minimalistic trapping support which essentially immediately crashes on undefined behaviour and full support with full debug messages. The full support relies on ubsan.c which has been adapted from code used by OPTEE. Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727 Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
-